10-14-2008 04:16 PM - edited 03-11-2019 06:57 AM
Simple question:
Does the AIP module inspect RETURN packets to a request made from an inside host.
(Or does it just inspect packets that originate outside)?
TIA
Solved! Go to Solution.
10-14-2008 10:14 PM
yes the return packet also goes through the SSM Engine...
To explain in a bit more detail...for example,
Lets say you have a connection from an inside machine to a web server on the internet (no encryption being done).
If you apply the policy to the inside, the SSM analysis will be done as the last thing before the packets are transmitted. The to web server packets will be checked against ACLs and NAT'd before being sent to the SSM. Similarly the to inside client packets will be checked against ACLs and NAT's back to internal addresses before being sent to the SSM.
SO in both directions the SSM analysis is the last feature being done.
NOTE: Because NAT changes are done before SSM analysis the SSM sees some packets with NAT addresses and other packets with Local addresses. To help the SSM properly track the packets the ASA adds an additional header to the packet that lets the SSM know the Local addresses for the packets.
So the SSM always looks in the additional header of the packet to know the Local adresses and uses those Local addresses when doing analysis and alarming.
If you were to instead put the policy on the outside interface, there would be no change in the order of the features. The SSM analysis would still be the last thing done on the packets.
Do Rate If Helpful !
10-17-2008 06:14 PM
As another scenario lets say you have a VPN tunnel setup on the firewall.An inside client is talking to a server through the VPN tunnel that goes through the outside interface.If you apply the policy to the inside interface.Then packets to the server will be checked against ACLs (NAT'd if necessary), then sent to the SSM for analysis. When it comes back from the SSM then it is encrypted and sent through the tunnel.
The encryption happens after analysis.
The packets from the server will be checked against ACLS, AND decrypted Before being sent to the SSM.
SO you see that Encryption is the only thing happening After SSM analysis.
If you applied the policy to the Outside interface there is NOT any change to the order of the features.Packets to the server (ino the VPN tunnel) still get analyzed Before encryption, and packets from the server (from the VPN tunnel) still get decrypted Before analysis by the SSM.
So applying the policy to different interface does NOT change the order in which the features get applied to the packet.
A packet goes through the same steps regardless of whether the policy is on the inside or outside interface.
The difference is just in which packets get analyzed.
If you place it on the inside. The packets between inside and outside will be monitored AS WELL AS packets between inside and DMZ, BUT the packets between outside and DMZ will not be monitored.
If you place it on the outside. The packets between the inside and outside will still be monitored. But now packets between outside and DMZ get monitored, and packets between inside and DMZ do NOT get monitored.
Hope it helps !
10-14-2008 10:14 PM
yes the return packet also goes through the SSM Engine...
To explain in a bit more detail...for example,
Lets say you have a connection from an inside machine to a web server on the internet (no encryption being done).
If you apply the policy to the inside, the SSM analysis will be done as the last thing before the packets are transmitted. The to web server packets will be checked against ACLs and NAT'd before being sent to the SSM. Similarly the to inside client packets will be checked against ACLs and NAT's back to internal addresses before being sent to the SSM.
SO in both directions the SSM analysis is the last feature being done.
NOTE: Because NAT changes are done before SSM analysis the SSM sees some packets with NAT addresses and other packets with Local addresses. To help the SSM properly track the packets the ASA adds an additional header to the packet that lets the SSM know the Local addresses for the packets.
So the SSM always looks in the additional header of the packet to know the Local adresses and uses those Local addresses when doing analysis and alarming.
If you were to instead put the policy on the outside interface, there would be no change in the order of the features. The SSM analysis would still be the last thing done on the packets.
Do Rate If Helpful !
10-17-2008 10:23 AM
ASHISH, a follow-up question:
How does the SSM engine deal with VPN traffic?
1. Remote VPN connection - it would seem the traffic would have to be inspected after decryption. Is this true?
2. L2L VPN connection - similar?
TIA
10-17-2008 06:14 PM
As another scenario lets say you have a VPN tunnel setup on the firewall.An inside client is talking to a server through the VPN tunnel that goes through the outside interface.If you apply the policy to the inside interface.Then packets to the server will be checked against ACLs (NAT'd if necessary), then sent to the SSM for analysis. When it comes back from the SSM then it is encrypted and sent through the tunnel.
The encryption happens after analysis.
The packets from the server will be checked against ACLS, AND decrypted Before being sent to the SSM.
SO you see that Encryption is the only thing happening After SSM analysis.
If you applied the policy to the Outside interface there is NOT any change to the order of the features.Packets to the server (ino the VPN tunnel) still get analyzed Before encryption, and packets from the server (from the VPN tunnel) still get decrypted Before analysis by the SSM.
So applying the policy to different interface does NOT change the order in which the features get applied to the packet.
A packet goes through the same steps regardless of whether the policy is on the inside or outside interface.
The difference is just in which packets get analyzed.
If you place it on the inside. The packets between inside and outside will be monitored AS WELL AS packets between inside and DMZ, BUT the packets between outside and DMZ will not be monitored.
If you place it on the outside. The packets between the inside and outside will still be monitored. But now packets between outside and DMZ get monitored, and packets between inside and DMZ do NOT get monitored.
Hope it helps !
10-17-2008 08:12 PM
Excellent explanations.
Thanks for the replies.
10-18-2008 04:35 PM
the info from ASHISH is really great :)
but i am wondering about somthing
which is the application of the policy
u mentioned if it is apllied inside,outside and so on which is all true
did u mean the policy is the policy that send traffic to the SSM for inspection ??
if yes
why u dont apply it globaly in this case u will have all the interfaces included in the inspection regardless the traffic direction
and when u apply it globally u can narrow it to inspect only traffic from spcific source going to spcific distination or any destination by using extended ACL !!!
hope this helpful
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide